Poppler 22.09.0 has been released on September 1, fixing a security issue:
The issue is similar to CVE-2022-38171 for xpdf (Bug 30804). I don't know if there are/were issues in poppler similar to the other CVEs in Bug 30804 or if we've addressed them yet.
Mageia 8 is also affected.
Fixed upstream in 22.09.0
poppler-22.09.0-1.mga9 uploaded for Cauldron by Jani.
Some more background on this:
Debian has issued an advisory for this on September 6:
Ubuntu has issued an advisory for this on September 12:
(In reply to David Walser from comment #4)
> Ubuntu has issued an advisory for this on September 12:
A further update was needed to complete the fix:
Fedora has issued an advisory for this today (September 22):
Debian-LTS has issued an advisory for this today (September 26):
The updated packages fix a security vulnerability:
Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf. (CVE-2022-38784)
Updated packages in core/updates_testing:
Fixed upstream in 22.09.0 =>
$ urpmq --whatrequires lib64poppler105-20.12.1| uniq | grep -v lib64poppler
Updated the whole list from testing: qarepo(* fuzzy) -> MageiaUpdate.
Referred to bug 30690 for testing.
$ pdftohtml UsingDocker.pdf docker.html
355 pages converted. Viewed docker.html with firefox which displayed a page index as a lefthand column of links and the text and graphics to the right.
Tried the other pdf utilities and noted no regressions.
$ strace -o djvu.trace pdf2djvu -o test.djv module_cheat_sheet.pdf
- page #1 -> #1
0.021 bits/pixel; 6.079:1, 83.55% saved, 136259 bytes in, 22416 bytes out
$ ll *.djv
-rw-r--r-- 1 lcl lcl 22416 Oct 19 23:45 test.djv
$ grep poppler djvu.trace
openat(AT_FDCWD, "/lib64/libpoppler.so.105", O_RDONLY|O_CLOEXEC) = 3
Looks like this can go out.
Validating. Advisory in Comment 8.
An update for this issue has been pushed to the Mageia Updates repository.